Closed c0d1ngm0nk3y closed 1 week ago
We can enhance this to headers as to handle cases where people can encrypt stateful session header cc: @wbpcode
Thanks @zuercher for triaging. What is the usual process for moving this forward?
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
Sorry missed this question.
I think there's two parts to this.
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
Adding this functionality to the Header Mutation filter might be appropriate, I'm moving my query param modification PR to be a part of that filter since it operates on the :path
header. Although I'm considering directly implementing encrypted coookies into the OAuth filter as a direct option, in which case idk how much use this filter would get.
Although I'm considering directly implementing encrypted coookies into the OAuth filter as a direct option
If the oauth2 token is the core scenario, I think this is OK.
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.
Title: New filter for transparent encryption of cookies
Description:
Some cookies might contain confidential data, e.g. OAuth
access_token
see https://github.com/envoyproxy/envoy/issues/23508 see https://github.com/envoyproxy/envoy/issues/29656
Envoy could make sure that those cookies are encrypted before they are send to the user and decrypted before the request is handled.
In case of
Oauth
, the confidential cookies likeaccess_token
would only be stored encrypted.Our proposal would be a new filter (e.g.
EncryptedCookies
) which transparently handles cookie encryption. The filter would need 2 inputs:Open Questions: